Why we made this change

Visitors are allowed 3 free articles per month (without a subscription), and private browsing prevents us from counting how many stories you've read. We hope you understand, and consider subscribing for unlimited online access.

Smart cryptography may help limit the damage from the MyFitnessPal megabreach

The fitness app uses a technology called bcrypt that will give the hackers a serious headache.

It doesn’t look good for Under Armour. The apparel giant and owner of the diet-tracking app MyFitnessPal just suffered one of the biggest data breaches in cybersecurity history, with hackers getting away with information including the usernames, e-mail addresses, and passwords associated with approximately 150 million accounts.

But not all hacks are equally disastrous, and this one could turn out to be less damaging than some other huge leaks thanks to Under Armour’s use of a technology called bcrypt to shield many of the stolen passwords.

To appreciate why bcrypt matters, some background on cryptographic defenses helps. The basic approach to shielding passwords involves “hashing,” which converts them into random strings of characters stored in a database. When someone logs in with a plain-text password, the hashed version of this is checked against the hash of their password retrieved from the database; if there’s a match, access is granted. If hackers break into the database, all they get are the hashes, not the actual passwords.

Hashes aren’t designed to be reversed into plain text, but that doesn’t stop the bad guys from trying. Among the tactics they use are “dictionary attacks,” which involves hashing common passwords and phrases to see if these match the encrypted data that’s been stolen, and “brute-force attacks,” which try every possible combination of characters up to a given length to unravel a hash.

To make hackers’ lives harder, smart defenders often use “salting,” which is crypto-speak for appending randomly generated characters to a plain-text password before it’s hashed. This ensures that no two passwords can have the same hash. While salting is a bane to hackers, they can still try to break individualized ciphers using brute-force and dictionary attacks.

That’s where bcrypt comes in. In addition to using salting, it extends the amount of time it takes to run a hash function by requiring multiple rounds of computation to get to a result. “It’s deliberately designed to be colossally slow,” explains Paul Kocher, senior technology advisor at Rambus and a well-known cryptography expert.

“Slow” here is still measured in milliseconds, so the impact on the user’s experience of logging into an app or site is barely noticeable. But even very small delays can frustrate hackers using high-end computer hardware to try to run through billions of hashes a second. Technologies like bcrypt give businesses more time to respond to a breach, and users more time to change their passwords. Under Armour was smart to use bcrypt, though why it didn’t apply it to all of the passwords associated with MyFitnessApp remains a mystery. (The ones not covered by it were protected using a weaker hashing function known as SHA-1.)

The fact that bcrypt can only delay hackers, not thwart them altogether, means it’s still really important to change passwords fast if you’re notified that a service you use has been breached, and to avoid using the same password across multiple applications. It’s also why it pays to use hard-to-guess passwords rather than common ones that can be quickly unpicked by hash-cracking hackers.

Keep up with the latest in cyber security at EmTech Digital.Don't be left behind.

Share

Tagged

I am the San Francisco bureau chief of MIT Technology Review, where I cover the future of computing and the companies in Silicon Valley that are shaping it. Before joining the publication, I led research and publishing at a venture capital… More firm focused on business technology. Prior to that, I worked for The Economist for many years as a reporter and editor, most recently as the paper’s West Coast-based tech writer.

Digital transformation in certain Asia-Pacific markets is already heavily underway particularly in terms of internal systems, products, and services. The digitalization of manufacturing and supply chains is lagging but will be substantially accelerated by the launch of 5G.

You've read
of three
free articles this month.
Subscribe now for unlimited online access.
You've read
of three
free articles this month.
Subscribe now for unlimited online access.
This is your last free article this month.
Subscribe now for unlimited online access.
You've read all your free articles this month.
Subscribe now for unlimited online access.
You've read
of three
free articles this month.
Log in for more, or subscribe now for unlimited online access.
Log in for two more free articles, or subscribe now
for unlimited online access.